show image

Sooraj Shah

Contributing Editor

Sooraj Shah is Contributing Editor of New Statesman Tech with a focus on C-level IT leader interviews. He is also a freelance technology journalist.

“We say no to more money from our partners – security is a behavioural problem,” says Freshfields CISO

Freshfields Bruckhaus Deringer is a global law firm with 27 offices. Like many businesses, the company is in the midst of a big digital transformation programme, which aims to change the capabilities for end users, giving them greater flexibility and better productivity tools.

To ensure that the programme, the tools and the company are secure, Freshfields has an information security group, which works on everything from supplier assurance and contract reviews all the way through to internal client audit, cyber incident response investigations and insider threat detection as well as a client consultancy support service.

Heading up the group is chief information security officer (CISO) and senior director of the organisation, Mark Walmsley, who is responsible for information security and privacy operations.

Walmsley tells NS Tech at the Cyber Security Connect UK conference in Monaco, that in order to introduce new tools and capabilities into Freshfields, his team has to ensure that the new estate is secured, particularly with a lot of investment going into cloud-based technology.

“This means a lot of configuration, and making sure the supplier is right and knowing where our data is,” he says.

In addition, the company has invested heavily in thwarting insider threats, and is looking at proactive threat intelligence outside of the firm’s network.

“So when you look at the seven stages of a kill chain for a cyber breach, most people operate in five or six, which is basically when the attack is happening and you hope to get to it where you can stop it before it’s been effective.

“We’re moving that right down to reconnaissance, so stage one – if someone starts looking at our business or our clients for our industry or someone starts to go malicious on the inside, we want to know at that point in time – that person needs to be kept an eye on,” he says.

The law firm will then take one of two approaches: one is to alert the employee that what they’re doing doesn’t align to the expected behaviour, and the other is consider the person may go rogue and therefore act decisively there and then.

“Sometimes we can just remove permissions and say ‘we think you’re a problem and therefore we have to take away some permissions to restrict the ability to cause chaos,” Walmsley says.

This kind of decision won’t be made by the information security group alone – it will have to be verified either by HR lawyers or by the general counsel.

“We treat people as they are part of the family so it’s not a big brother is watching you the entire time. It’s a very different message, which is ‘your behaviour impacts on us and our clients – the firm has been around for a long time, it’s your responsibility to help ensure we’re still here for the future’ – and people take that really seriously,” Walmsley says.

Walmsley states that the artificial intelligence technology for this monitoring is used just as often to detect a behaviour as it is prove that someone didn’t do a behaviour – for example if it came from an employee’s PC but it wasn’t them.

Raising cyber security awareness

The organisation carries out an e-learning session every year to two different groups. Last year, the company went further and dedicated the whole month of October to cyber security. This included articles being published, 90-second video skits which would educate employees on basic security protocols, and phishing simulations.

“The uptake was fantastic, because people actually want to know how to behave and there’s no point giving them a policy and telling them to read it and not go outside of it,” he says.

Walmsley’s team holds threat awareness sessions in the mornings where employees can come by and have a look at a lot of the intelligence on the company’s screens. Recently, the company carried out a live demo to the partners of Freshfields, to explain that security is not binary.

“We have to explain there’s lots of things like a game of chess, we have to move the pieces around to defend ourselves and here are all of the intelligence [information] that we have to go through. We show them the complexity of the problem we’re dealing with; it isn’t just always safe or not safe, and we can show them all of the technology we’re monitoring for vulnerabilities and patching and all of the attacks that are happening live and the volume of emails that are blocked – which is around 30 million a year,” he says.

The partners of the firm have been taking what they’ve learnt on board and have even come to Walmsley to ask him to explain the same issues with other senior members of staff who need to be in the know.

“They find it so interesting and so complex and they say: ‘how much money do we need’ – which is unheard of in security, and we say ‘no’ because we don’t want to spend cash. The problem is behaviours – you can’t put money at a people problem,” he says.

“Finally, they also send emails to say that something doesn’t look right to them and they want us to look at it – suddenly, they’ve now got accountability for their own actions” he adds.